September 29, 2020

Volume X, Number 273

September 29, 2020

Subscribe to Latest Legal News and Analysis

September 28, 2020

Subscribe to Latest Legal News and Analysis

Cybersecurity for Federal Contractors in a Time of Divided Government

The recent cyberattack against the U.S. Office of Personnel Management highlights the vulnerability of public IT systems and the urgent need to protect those systems and the sensitive government data that resides there. According to reports, at least 3 million federal employees’ private data was compromised–but the scope of the attack may have been much broader and deeper. Before the dust settled on that cyberattack, the U.S. Army website was hacked by a group of Syrians. Before that, the White House website was hacked. And the list goes on.

Through it all, Congress has seen fit to pass . . . nothing? Truth be told, the House already passed different versions of a cybersecurity information sharing bill that easily cleared the Senate Intelligence Committee but now appears to be stalled on the Hill. Gridlock in Washington is nothing new, but in the meantime, what steps should federal contractors be taking to protect sensitive government information?

There are multiple sources for cybersecurity controls  in the federal sector. The Federal Information Security Management Act of 2002. The Federal Risk and Authorization Management Program. The National Institute of Statistics and Technology Cybersecurity Framework. The DFARS has specific requirements that are mandated to be in all defense contracts. Even though that DFARS clause, 252.204-7012 was issued in November 2013, according to a recent DOD Memorandum and attached scorecard, there are currently no defense components that have fully complied with that mandate. In fact, the current scorecard for the second quarter of 2015 shows that the U.S. Army has only included that DFARS provision in 41% of contracts and solicitations. There is no doubt that the Army and other defense agencies can and should do a better job. But contractors have a role to play as well.

Even when the DFARS clause has been omitted, as it has in 59% of current Army contracts, defense contractors should treat their contracts as if the clause is included. They should engage the Government proactively to modify their contracts to fully comply, and they should implement the measures required by the omitted clause to protect the sensitive data and their systems. The other option is to bury your head in the sand and hope that your system is not hacked and the government data is not compromised. Of course, hope is not really an option. What about the extra costs associated with the added controls required by DFARS 252.204-7012? Those should be paid by your government customer through a change order or contract modification.

When it comes to cybersecurity, federal contractors and government agencies are very much partners. And partnerships work best when partners communicate openly with one another. So, when a required clause gets omitted from your contract, don’t cross your fingers and hope nothing happens to the sensitive data that has been entrusted to you by your partner. Speak up!

Copyright Holland & Hart LLP 1995-2020.National Law Review, Volume V, Number 202


About this Author

Charles R. Lucy, Federal Regulatory Litigator, Holland Hart, law firm
Of Counsel

Mr. Lucy brings more than 30 years of experience in federal regulatory, business, and litigation experience, as well as technical experience in federal/state procurement and acquisition matters, bid protests, contract disputes act appeals, government contract audits and fiscal law issues, commercial space law, university/government technology transfer programs, homeland defense, and small business government contracting.

Mr. Lucy has lectured at numerous conferences and seminars in Europe, the Pacific, and the United States. Topics have included...

janna lewis, holland hart, patent attorney, intellectual property law, contracts
Of Counsel

Janna J. Lewis is a registered U.S. patent attorney and a member of Holland & Hart's Intellectual Property Group and Government Contracts Group, and Co-Chair of the firm's Aerospace Subgroup, focusing her practice on licensing and technology transactions, government contracts and bid protests.  

Ms. Lewis manages complex technology transactions, including the licensing, development, commercialization, transfer of intellectual property rights and assets, and intellectual property and data rights issues in government contracts.

Her clients hail from a variety of industries, including aerospace and defense, launch services, satellite communications, robotics, avionics, software and information technology, unmanned aerial systems, digital media and on-demand content distribution, mobile devices, and renewable energy. 

michael maloney, holland hart, bid protest lawyer, government contracts attorney
Of Counsel

Michael D. Maloney is Of Counsel in the Washington, D.C. office representing clients in all phases of government contracts and disputes in a wide array of industries. A seasoned litigator with over 25 years in private practice, Mr. Maloney strategically advises clients how and where to pursue complex bid protest matters before the Government Accountability Office, the Court of Federal Claims and other federal courts, or directly to the administering federal agency. He also counsels clients on federal, state, and local procurement compliance, guiding clients through the...